If you are familiar with the OSI model, you are aware that network packets are wrapped in layers called headers. Note: Don’t confuse these with C++ headers, these are network packet headers and I will try to always clarify by saying “packet headers” or “C++ headers”. The goal of this article to demonstrate how to unwrap these packet headers using C++ and the Pcap and tcpdump libraries.

Prerequisites

You have read the previous Pcap posts.

Basic understanding of the OSI model

Basic knowledge of networking

Packet Headers

The first layer of a valid packet will contain an ethernet layer and it will be the first 14 octets. Each octet is a pair of hex numbers. If you look at a standard TCP Syn packet in Wireshark, it will be displayed in Hex view as follows:

I will use Hex unless demonstrating something that is easier to explain in binary.

Because this is a TCP Syn packet, there actually is no data or payload, just packet headers really, because it is just the first packet of a TCP handshake, but we can still demonstrate the idea of packet headers (and it is easier since the packet is smaller).

The first 14 octets comprises the first packet header and it has three items of data:

However, there are other C++ headers that provide struct for packet headers as well as useful #define statements and enumerations. Here is a list of some of the tcpdump c++ headers you should become familiar with.

My other blogs

Entries (RSS) and Comments (RSS). Copyright ® Rhyous.com Linking to content on this site is allowed without permission and as many as ten lines of any article can be used along with such link. Any other use of the content is allowed only by permission of Rhyous.com.